Electronic group signature method with revocable anonymity, equipment and programs for implementing the method

ABSTRACT

A ring-signature scheme is adapted so that at least one of the variability parameter values used is an identity trace of the anonymous signatory, determined as a function of anonymity withdrawal data stored and held secret by an anonymity withdrawal entity in connection with an identification of the anonymous signatory. This provides a subsequent controlled capacity of withdrawing the anonymity of the signatory, either by an authority, or by the signatory himself.

BACKGROUND OF THE INVENTION

[0001] The present invention relates to electronic signature techniquesand more particularly to group signature techniques.

[0002] The fundamental object enabling the public part of acryptographic key (public key) to be trusted is the certificate. Thecertificate standard used in numerous networks, including the Internet,is X.509, version 3. A specification thereof is provided by the PKIXworking group of the IETF (“Internet Engineering Task Force”) in theRequest For Comments (RFC) 3280, “Internet X.509 Public KeyInfrastructure; Certificate and Certificate Revocation List (CRL)Profile” published in April 2002. The certificate is an objectcomprising in particular:

[0003] the public key to be certified;

[0004] the identity of its possessor;

[0005] a period of validity;

[0006] a cryptographic signature of these data by the private key of aCertifying Authority (CA) that issued the certificate.

[0007] Trusting the public key associated with an identity amounts tomaking sure of the validity of the certificate. For PKIX, a certificateis valid at a given instant T (in terms of trust):

[0008] either if it is explicitly declared as “trusted certificate”. Inpractice, the certificates of users are never declared trusted. Rather,a reduced number of trusted certificates is declared, consisting of thecertificates of certain CAs;

[0009] or if it satisfies the following conditions:

[0010] the cryptographic signature of the certificate is mathematicallyvalid;

[0011] the instant T forms part of the period of validity of thecertificate;

[0012] the certificate is not revoked at the instant T;

[0013] the public key of the issuing CA is available through acertificate of the CA, and this certificate of the CA is itself valid atthe instant T.

[0014] The electronic signature function makes it possible to guaranteethe authenticity of a document, i.e. to dependably authenticate itssignatory or signatories and to guarantee that the document has not beenmodified (integrity). The electronic signature is often used toguarantee nonrepudiation. The nonrepudiation of a document consists inguarding against a subsequent denial from its author.

[0015] This traditional electronic signature transposes the mechanism ofmanual signing over to the electronic world. Another form of electronicsignature, relying on multiplayer cryptography techniques, offersfeatures which both comparable to regular signing (some guarantee of theorigin of a message) and radically different (anonymity of the signatoryamong a group of people). The group signature allows an individualmember of a group administered by an authority to effect a signature inthe name of the group.

[0016] The group signature involves at least one signatory, a group ofindividuals to which the signatory belongs, and an authority. It allowsan individual to sign in the name of a group of individuals, butanonymously. When an entity verifies a group signature, it is certainthat the signature has indeed been effected by a member of the group,without being able to determine which one only one entity can determinethe identity of the signatory: the authority. In this case, it is saidto “open” the signature. The group signature is then said to have“limited anonymity”. This possibility of withdrawing the anonymity mayturn out to be useful, in particular in case of fraud or to ensure theproper operation of a service such as for example an auction service. Ingeneral, the group signature requires an initialization phase andinvolves specific cryptographic keys.

[0017] The group signature mechanisms are not standardized. Examplesthereof are described in the articles:

[0018] D. Chaum, et al., “Group signatures”, Eurocrypt'91. 1991;

[0019] G. Atienese, et al., “A Practical and Provably SecureCoalition-Resistant Group Signature Scheme”, Crypto 2000,http://www.zurich.ibm.com/se curity/publications/2000/CAJT2000.pdf.

[0020] These known group signature techniques generally make it possibleto withdraw anonymity. However, they have drawbacks: they are unwieldyto set up, require an administrating authority, and their keys areincompatible with the market standards. The management of the groupsgreatly complicates these group signature mechanisms. In general, it isthe authority that is charged with this. However, this does not detractfrom the complexity of the operations for enrolling a new member into analready existing group and of removing a member from a group. As thesigning operations call upon nonstandard keys, a user furnished with anRSA key and with an X.509 certificate will not be able to use this keyto effect his group signature.

[0021] The “ring-signature” is a multiplayer cryptography signaturealgorithm which is not properly speaking a group signature. It differsfrom the group signature in that:

[0022] the people in whose names the signatory produces hisring-signature are not part of a formalized group and have not thereforegiven explicit consent;

[0023] there is no authority;

[0024] unless the signatory is explicitly mentioned, anonymity cannot bewithdrawn.

[0025] However, it is necessary that all possible signatories shouldhave a public key accessible to the signatory. There is no need for aprior phase of configuration. As there is no authority, thering-signature offers complete anonymity, i.e. nobody can determine whois the actual signatory, unless complementary mechanisms are introduced.

[0026] This ring-signature mechanism was first introduced by R. L.Rivest, et al.: “How to Leak a Secret”, Asiacrypt'01, December 2001,http://theory.lcs.mit.edu/-rivest/RivestShamirTauman-HowToLeakASecret.pdf). Variants thereof have since beenproposed, for example by E. Bresson, et al, “Threshold Ring Signaturesand Applications to Ad-hoc Groups” Crypto'02, August 2002.

[0027] The ring-signature involves a signatory E_(s) from among a set Eof r entities or individuals E_(i) able to sign (i ranging from 1 to r),furnished with respective public keys PUB_(i) accessible to thesignatory. Each of the public keys PUB_(i) is associated, in anasymmetric cryptography scheme such as for example the RSA, with aprivate key PR_(i) known only to the member E_(i). The signatory E_(s)belongs to the set E (1≦s≦r). A ring-signature algorithm allows E_(s) tosign in the name of E but anonymously in the sense that an entityverifying a ring-signature is certain that the signature was indeedeffected by a member of E, without being able to determine which one.

[0028] Let M denote the set of messages or documents able to be signed.The number b designating a “ring width” expressed in bits, B denotes theset of messages of b bits. A “combination” C determines a combinationfunction C_(m,v) as a function of any number of input variables in B,taking its values in B, dependent on at least two parameters m ∈ M and v∈ B and such that, all the input variables except any one being fixed,C_(m,v) is a bijection of B into B. To minimize the algorithmiccomplexity, it is advisable that (i) for all values of the inputvariables, C_(m,v) be easy to calculate, and (ii) the inverse of each ofthe aforesaid bijections be also easy to calculate. This inverseoperation is called “solving of the ring equation”. For certainvariables y₁, y₂, . . . , y_(r), “the ring equation” is expressed in thefollowing manner:

C _(m,v) (y ₁ , y ₂ , . . . y _(r))=v   (1)

[0029] Moreover we define a function A which, with asymmetriccryptography keys (PUB, PR), where PUB is a public key and PR acorresponding private key, associates a pair (g, h) such that:

[0030] g is a function with values in B which can depend on PUB but noton PR;

[0031] h is a function of a variable of B which can depend on PUB andPR;

[0032] g and h are inverses of one another, i.e.:

[0033] g(h(y))=y for any y in B; and

[0034] h(g(x))=x for any x acceptable as an input of g.

[0035] The definition of the triplet (b, C, A) characterizes aring-signature scheme. A “ring-signature production system” is definedby such a triplet (b, C, A) , a set of entities E={E_(i)/1≦i≦r} eachhaving a pair of public and private keys PUB_(i), PR_(i) defining a pairof functions (g_(i), h_(i))=A(PUB_(i), PR_(i)), an index s ∈{1,2, . . .r} designating a signatory entity E_(s), and a message m ∈ M.

[0036] This ring-signature production system being fixed, the provisionof the public keys PUB_(i) of the r entities E_(i), of an element v ofB, and of r elements x_(i) (1≦i≦r) is called the ring-signature of themessage m in the name of E. This signature is valid if it satisfies thering equation (1) for the r input variables y_(i)=g_(i)(x_(i)) of B(1≦i≦r).

[0037] An algorithm for ring-signature production by S thus executes asfollows:

[0038] /a/ randomly choose v in B;

[0039] /b/ choose random elements x_(i) for all the i≠s;

[0040] /c/ solve the ring equation in y_(s) by fixing the inputvariables y_(i)=g_(i)(x_(i)) for i≠s by means of the public keysPUB_(i), i.e. determine y_(s) such that

C _(m,v)(g ₁(x ₁), . . . , g _(s−1)(x _(s−1)), y _(s) , g _(s+1)(x_(s+1)), . . . , g _(r)(x _(r)))=v

[0041] /d/ calculate X_(s)=h_(s)(y_(s)) by means of the private keyPR_(s); and

[0042] /e/ deliver the ring-signature: (PUB₁, PUB₂, . . .,PUB_(r);v;x₁,x₂, . . . ,x_(r)).

[0043] This ring-signature is then verifiable by the followingverification algorithm:

[0044] /f/ calculate the y_(i)=g_(i)(x_(i)) for 1≦i≦r by means of thepublic keys PUB_(i);

[0045] /g/ evaluate the combination function C_(m,v)(y₁,y₂, . . . ,y_(r)); and

[0046] /h/ accept the ring-signature if and only if the result is v.

[0047] The ring-signature makes it possible to remedy the drawbacks ofthe conventional group signature procedures. However, in its knownversions, it precludes the ability to withdraw anonymity. Now, theability to withdraw anonymity is an essential property for a certainnumber of applications such as for example electronic suggestion boxes,electronic lottery applications, electronic auction services, etc.

[0048] An object of the present invention is to adapt the ring-signaturetechnique to allow the withdrawal of anonymity.

SUMMARY OF THE INVENTION

[0049] The invention thus proposes a method of electronic signing amessage (m) by an anonymous signatory belonging to a group of r possiblesignatories each having an associated public key and an associatedprivate key in an asymmetric cryptography scheme, r being an integergreater than 1. This method comprises the following steps executed in anelectronic signing device of the anonymous signatory:

[0050] obtaining at least r values of variability parameters includingthe values of r-1 variability parameters respectively associated withthe other possible signatories of the group and at least one additionalparameter value;

[0051] enciphering the values of the r-1 variability parametersassociated with the other possible signatories of the group, by means ofthe respective public keys of said other possible signatories, therebyproducing r-1 enciphered values respectively associated with the otherpossible signatories of the group;

[0052] determining a complementary value which satisfies a ring equationwhose variables are the message to be signed, each of the r-1 encipheredvalues associated with the other possible signatories of the group, eachadditional parameter value and said complementary value;

[0053] deciphering the complementary value determined, by means of theprivate key of the anonymous signatory, thereby producing the value of avariability parameter associated with the anonymous signatory; and

[0054] delivering an electronic signature of the message comprising therespective public keys of the r possible signatories of the group, thevalues of the variability parameters respectively associated with the rpossible signatories of the group and each additional parameter value.

[0055] According to the invention, at least one of the r values ofvariability parameters is an identity trace of the anonymous signatory,determined as a function of anonymity withdrawal data stored and keptsecret by at least one anonymity withdrawal entity in relation with anidentification of the anonymous signatory.

[0056] The method allows the withdrawal of anonymity regardingsignatures having the same properties as the ring-signature. Thisadvantageously makes it possible to employ a signature algorithm havingmost of the properties of group signatures, but with standard keys,without the unwieldy management of groups, and without the compulsoryrequirement for an administrator.

[0057] Another aspect of the present invention pertains to a electronicsignature device for signing messages by an anonymous signatory,comprising means adapted for implementing the steps of the methoddefined above, which are incumbent on such electronic signature device.

[0058] Another aspect of the present invention pertains to a trustedserver for intervening in the production of anonymity withdrawal datarelating to at least one anonymous signatory, comprising means forimplementing the steps of certain modes of execution of the methoddefined above, which are incumbent on such server.

[0059] The invention also proposes computer programs to be installed inan electronic signature device or in a trusted server. These programscomprise instructions for implementing the steps of a method as definedabove, which are incumbent on such device or server, during theirexecution by processing means of said device or server.

[0060] Yet another aspect of the present invention pertains to a methodfor withdrawing anonymity of the anonymous signatory of a message signedelectronically in accordance with a method as defined above. Thisanonymity withdrawal method comprises the steps of:

[0061] verifying the electronic signature of the message, by extractingfrom the electronic signature of the message the respective public keysof the r possible signatories of the group, the values of thevariability parameters respectively associated with the r possiblesignatories of the group and each additional parameter value, byobtaining r enciphered values by enciphering the values of thevariability parameters associated with the r possible signatories of thegroup by means of their respective public keys, and by making sure thatthe message, the r enciphered values and each additional value togethersatisfy the ring equation;

[0062] recovering the anonymity withdrawal data stored by the anonymitywithdrawal entity in relation with the identification of the anonymoussignatory;

[0063] recalculating the identity trace of the anonymous signatory as afunction of the anonymity withdrawal data recovered; and

[0064] verifying that the recalculated identity trace corresponds to theidentity trace included in the r values of variability parametersforming part of the electronic signature of the message.

[0065] The invention also proposes a computer device for withdrawinganonymity of at least one anonymous signatory of an electronicallysigned message, comprising means adapted for implementing the steps ofthe anonymity withdrawal method above, as well as a computer program tobe installed in such a computer device for withdrawing anonymity of atleast one anonymous signatory of an electronically signed message,comprising instructions for implementing the steps of the anonymitywithdrawal method above during execution of the program by processingmeans of said device.

BRIEF DESCRIPTION OF THE DRAWINGS

[0066] FIGS. 1 to 8 are flow charts illustrating various embodiments ofmethods according to the invention.

DESCRIPTION OF PREFERRED EMBODIMENTS

[0067] The invention is illustrated here, nonlimitingly, within theframework of a ring-signature technique as described in the aforesaidpublication by R. Rivest, et al.

[0068] Each entity E_(i)(1≦i≦r) of the set E is furnished with a publickey PUB₁ of RSA type, of modulus n_(i) and exponent e_(i), which definesa permutation f_(i) over {0, 1, 2, . . . , n_(i)-1): f_(i)(x)=x^(e)_(^(i)) modulo n_(i) (this permutation is the so-called RSA cipherfunction). The domain of the keys is widened to a common domain [0,2^(b)-1], this defining the integer b chosen such that b≧log₂ (n_(i))for any i and the set B={0, 1, 2, . . . , 2^(b)-1}. Typically, b=1024 or2048 depending on the RSA keys of the users. This widening makes itpossible to have keys of different sizes depending on the members of thegroup. The functions gi are defined from B into B. Denoting by q_(i)(x)and r_(i)(x) the quotient and the remainder of the Euclidian division ofx by n_(i)(x=q_(i)(x).n_(i)+r_(i)(x) with 0≦r_(i)(x)<n_(i)), we have:

if (q _(i)(x)+1).n _(i)<2^(b), then g _(i)(x)=q _(i)(x).n _(i) +f _(i)(r_(i)(x)); and

if (q _(i)(x)+1).n _(i)≧2^(b), then g _(i)(x)=x.

[0069] This function g_(i) dependent on the public key PUB_(i) isinvertible and its inverse h_(i) depends on the private key PR_(i)associated with PUB_(i):

if (q _(i)(y)+1).n _(i)<2^(b), then h _(i)(y)=q _(i)(y).n _(i) +f _(i)⁻¹(r _(i)(y)); and

if (q _(i)(y)+1).n _(i)≧2 ^(b), then h_(i)(y)=y,

[0070] f_(i) ⁻¹ being the RSA decipher function, the inverse of f_(i),evaluated by means of the private key PR_(i).

[0071] The combination C is defined by means on the one hand of asymmetric cipher function CS_(k), constructed for example on the basisof a conventional algorithm such as DES (“Digital Encryption System”),AES (“Advanced Encryption System”), etc., and defining a permutationover B on the basis of a key k, and on the other hand of a hash functionH, constructed for example on the basis of the conventional SHA-1function and able to produce all the valid keys k. The key k isgenerated by hashing the message M to be signed: k=H(m). The combinationfunction C_(m,v) is then given by:

C _(m,v) (y ₁ , y ₂ , . . . y _(r))=CS _(k)(y _(r) ⊕CS _(k)(y _(r−1) ⊕CS_(k)(y _(r−2) ⊕ . . . ⊕CS _(k) (y ₁ ⊕v) . . . )))

[0072] where ⊕ designates the EXCLUSIVE OR operation.

[0073] This combination function is invertible for any position s, thesolving of the ring equation (1) consisting simply in calculating:

[0074] u=CS_(k)(y_(s−1)⊕CS_(k)(y⁻²⊕ . . . ⊕CS_(k)(y₁⊕v) . . . ));

[0075] u′=DS_(k)(y_(s+1)⊕DS_(k)(y_(s+2)⊕ . . . ⊕DS_(k)(y_(r)⊕DS_(k)(v)). . . )) by means of the symmetric deciphering function associated withCS_(k); then

[0076] y_(s)=u⊕u′

[0077] The invention modifies this known ring-signature mechanism byreplacing one at least of the randomly drawn values of variabilityparameters, i.e. v and/or x_(i) for i≠s, by an identity trace of thesignatory E_(s). Anonymity withdrawal data (AWD) are produced so as tobe stored and kept secret by at least one anonymity withdrawal entity(AWE) in relation with an identification ID_(s) of the signatory E_(s).The identity trace, determined as a function of these AWD, subsequentlymakes it possible, if the need is felt, to revoke the anonymity affordedto the signatory by the ring-signature mechanism.

[0078] The AWE can be constituted by the signatory himself or by atrusted server supervised by an independent third party. It may alsoinclude both the signatory and such a trusted server.

[0079] With reference to the figures, depicted therein are the computerdevices held by the possible signatories E_(i) of the group E, whichconsist for example of computers or terminals capable of communicatingwith one another through one or more telecommunication networks (notshown) (for example an IP type network such as the Internet or anIntranet). These devices are equipped with programs suitable forimplementing the steps described hereinbelow. It is assumed that eachmember of the group E knows the public keys PUB_(i) of all the others.The identification of each member E_(i) is effected by means of anidentity ID_(i), which may consist of the index i, the public keyPUB_(i), and a certificate of X.509 type or other, etc).

[0080] FIGS. 2 to 4, 6 and 8 also show a trusted server S usable incertain embodiments of the method. This server is linked to thetelecommunication network and is also equipped with programs suitablefor implementing the steps described hereinbelow. It may for exampledeploy a secure web server of SSLv3 type (see “The SSL Protocol-Version_(3.0)” Internet Draft, IETF, November 1996). Requests are then sent toit according to the HTTPS protocol with client authentication.

[0081] The signatures involved (token, proof of signatory) may all bestored in known structures of the type PKCS#7-signedData or XML-DSig.Signature verifications may if appropriate entail the verification ofthe certificates' trust chain.

[0082] In the embodiments of the invention illustrated by FIGS. 1 to 6,the variability parameter value taken equal to the identity trace is thevalue of the additional parameter v serving to close the signature ring.

[0083] In the embodiment of FIG. 1, the AWE is constituted by thesignatory E_(s). The latter's computer device draws a random number μ(step 1), which it stores as AWD in step 2, while keeping it secret. Instep 3, the identity trace v is calculated by cryptographic hashing ofthe concatenation of the random number μ and of the message m to besigned:

v=h(μ∥m)

[0084] In the present description, the notation w∥z designates theconcatenation of any two messages w and z, h designates a cryptographichash function taking its values in B, and h′, h″ designate hashfunctions that may be the same as or different from h. These hashfunctions h, h′, h″ may be chosen from among those conventionallyemployed in cryptographic applications (SHA-1, MD-5, etc.).

[0085] After having obtained the identity trace v, the signatory'sdevice randomly draws values x_(i) in B for 1≦i<s and s<i≦r in step 4identical to the aforesaid step/b/, then executes the ring-signature instep 5 identical to the aforesaid steps /c/−/e/, with the values x_(i)(i≠s) for the parameters associated with the other members of the groupE and the value v for the additional variability parameter.

[0086] The ring-signature (PUB₁, PUB₂, . . . , PUB_(r); v; x_(i), x₂, .. . , X_(r)) may be appended to the message m to form the signed messageM communicated by the signatory E_(s). The ring-signature is verifiableby anybody according to the verification algorithm /f/−/h/ describedpreviously.

[0087] The anonymity withdrawal can be requested by a verifier V havinga computer device able to communicate with those of the members of thegroup E by way of the telecommunication network and programmed in such away as to be able to undertake the operations hereinbelow.

[0088] In a first step 100, the verifier V makes sure of the validity ofthe ring-signature. If the ring equation (1) is not satisfied for thesigned message M, the signature is declared invalid. If it is valid, theverifier addresses at least one AWD request to an AWE, for example bye-mail.

[0089] In the case of FIG. 1 (AWE=E_(s)), this AWD request is sent tothe members of the group E, only E_(s) being in a position to respondsuitably thereto. If V guesses the identity of the signatory, he maysend the request only to the latter. Otherwise, he addresses it to allthe members of the group, either in succession until a satisfactoryresponse is obtained, or simultaneously.

[0090] The AWD request can include the message m or a part thereof sothat the recipient can know for which message an anonymity withdrawal isrequired. It may in particular include a hash h″ (m) of the message m,that the signatory E_(s) has also preserved in memory in step 2 inrelation with the AWD. In the processing of the request, E_(s) will thusbe able to access the AWD required.

[0091] The signatory E_(s) determines whether he accepts withdrawal ofhis anonymity vis-à-vis V, this possibly requiring prior authenticationof V by E_(s). Then, if he accepts, the stored AWD are read in step 6and addressed to V in a message which may possibly be signed with theprivate key of E_(s) to guarantee its origin to V. Receiving a valueμ*(=AWD) in such a message originating from an identified member E_(i),V verifies in step 101 whether it is a satisfactory response, i.e.whether h(μ*∥m) corresponds to the value v included in thering-signature. If so, the anonymity of E_(s) is withdrawn by V.Otherwise, anonymity is maintained and another member of the group maypossibly be interrogated in his or her turn.

[0092] The signatory E_(s) can also spontaneously withdraw hisanonymity, by communicating μ to V (with m) or by publishing it on awebsite.

[0093] The variant illustrated by FIG. 2 allows the withdrawal ofanonymity by virtue of an anonymity withdrawal third party supervising atrusted server S. The signatory E_(s) generates a request for a randomnumber μ′ (step 10), that it addresses to the server S. This request maycontain a hash h″ (m) of the message m for reference purposes. Theserver S authenticates E_(s) (step 200), for example within theframework of the establishing of an SSLv3 session or in accordance withthe content of the message transporting the request. If E_(s) isproperly authenticated, the processing of the request by S comprises thedrawing of a first random number μ (step 201) which is stored and keptsecret in relation with the identity ID_(s) of the signatory (step 202)and with h″ (m). The value μ′ is then calculated by hashing μ in step203 (μ′=h′(μ)) then returned to E_(s).

[0094] The identity trace v is obtained in step 11 by the signatoryE_(s) by cryptographic hashing of the concatenation of μ′ and of themessage to be signed m (or of just a part thereof): v=h(μ′∥m). Theaforesaid steps 4 and 5 are then executed to produce the ring-signature.

[0095] After verification 100 of this ring-signature, V sends its AWDrequest to the trusted server S. This request may be accompanied by thehash h″ (m) for message identification purposes. The server S can thenread the requested AWD (step 204) and return them to V. Verification 101allowing V to withdraw the anonymity then consists in testing whetherh(h′(μ*∥m))=v, where μ* is the random number value received from S. Ifthe test is positive, V identifies E_(s) according to the identityobtained in the AWD.

[0096] It is noted that, in this embodiment, the server S has noknowledge of the message m before recording the AWD and that it cannottherefore a priori censor E_(s) (a cryptographic hash such as h″ (m)does not give access to the content of m).

[0097] FIGS. 3 to 6 illustrate embodiments of the invention making itpossible, once anonymity has been withdrawn, to have proof(authenticated withdrawals of anonymity). In these embodiments, there isa proof collection phase in respect of anonymity withdrawal, duringwhich an entity produces a proof p that may in particular include theidentity ID_(s) of the signatory and the message m. This proof ispreserved as AWD by one or more AWE (trusted third parties and/or E_(s)itself). If E_(s) is not an AWE, an AWE sends E_(s) a hash q=h(p) whichwill serve as identity trace. After verification of the AWD, V can applyan algorithm for verifying the proof of anonymity withdrawal whichreturns ID_(s) if the proof is valid and which denies the anonymitywithdrawal if the proof is invalid.

[0098] The proof can in particular be generated by electronic signing ofa token J composed by concatenating a random number μ, the message m (ora part of the latter, in particular a hash) and of possible extensions.The signing of the token J can be performed by E_(s) or by a trustedserver S. In the latter case, it is judicious for the token J to alsocontain an identity ID_(s) of the signatory. The extensions of the tokenmay comprise a serial number or other useful data. In an advantageousembodiment, these extensions include a timestamping token generatedduring composition of the token to be signed. This timestamping tokencan in particular be generated according to the TSP protocol (“TimeStamp Protocol”, see RFC 3161, “Internet X.509 Public Key InfrastructureTime-Stamp Protocol (TSP), August 2001, IETF); it then contains the dateand the time of the token J and it is signed by a timestamping thirdparty.

[0099] In the embodiment according to FIG. 3, the AWE consists of atrusted server S.

[0100] The signatory E_(s) generates a token request (step 20), that itaddresses to the server S together with the message m or a part of thelatter (this part may in particular consist of a hash h″ (m) of themessage m, thereby allowing S to generate the proof p without knowingthe content of the message m). The server S authenticates E_(s) (200)and draws a random number μ (201) as previously. It then composes thetoken J in step 210: J=μ∥m∥ID_(s)∥ ext or J=μ∥h″ (m)∥ID_(s)∥ ext, whereext designates the optional extensions. The server S then signs thetoken J by means of its private key in step 211, thereby producing theproof p stored in step 212. In step 213, it then calculates the valueq=h(p), returned to E_(s) as response to the latter's request.

[0101] The identity trace v is taken equal to this value q in step 21 bythe signatory E_(s). The aforesaid steps 4 and 5 are then executed toproduce the ring-signature.

[0102] After verification 100 of this ring-signature, V sends his AWDrequest to the trusted server S. This request can be accompanied by themessage m or by the hash h″ (m) for message identification purposes. Theserver S can then read the requested AWD (step 214) and return them toV. Verification 101 allowing V to withdraw the anonymity then consistsin testing whether h(p*)=v, where p* is the proof received from S. Ifthe test is positive, V proceeds to verifications 110 according to theproof p. The withdrawal of the anonymity of E_(s) is effective only ifthese verifications are all positive. In step 110, V verifies:

[0103] consistency between the m found in p (or its hash h″ (m)) and themessage of the ring-signature M;

[0104] validity of ID_(s) and its consistency with PUB_(s);

[0105] validity of any extensions; and

[0106] validity of the signature of the token J by S, by means of thepublic key of S.

[0107] The embodiment illustrated by FIG. 4 is similar to that of FIG.3, except that E_(s) signs the message m by means of its private keyPR_(s) (step 30), and sends S the signed message m* in the token requestgenerated in step 31. The server S verifies this signature by means ofthe public key PUB_(s) (step 220), draws the random number μ thencomposes the token in step 221 with the signed message m*:J=μ∥m*∥ID_(s)∥ ext. The other operations are the same as those of FIG.3. In step 110, V will be able to perform a further verification on theproof p, as to the validity of the signature of the message m by E_(s),by means of the public key PUB_(s) of E_(s). This further verificationmakes it possible to render the withdrawal of the anonymity of E_(s)non-repudiable.

[0108] Such non-repudiation can also be obtained by having the token Jsigned by the anonymous signatory E_(s), in an embodiment according toFIG. 5 which does not involve any trusted third party. A random number μis firstly drawn (step 1) in the computer device of the signatory E_(s),which composes the token J in step 40: J=μ∥m∥ ext or J=μ∥h″ (m)∥ ext.This token J is then signed by means of the private key PR_(s) (step41), and the result (proof p) is stored as AWD in step 42 (if necessaryin relation with a hash h″ (m) of the message). In step 43, E_(s)determines the identity trace v=h(p), which it uses to establish thering-signature as previously (steps 4 and 5). The AWD read in step 44 inresponse to the request of the verifier V comprise the proof p verifiedas previously in step 110 (except in that the signature of p is verifiedby means of the public key PUB_(s)).

[0109] In the variant of FIG. 6, the AWE consists jointly of the trustedserver S and of the anonymous signatory E_(s), and the AWD aresubdivided into a first part AWD1=(μ, ID_(s)) preserved by S and asecond part AWD2=p preserved by E_(s). The latter begins by asking S fora random number μ′ as in the case of FIG. 2 (steps 10 and 200-203), thisrandom number μ′ being produced by hashing a first random number μpreserved and kept secret with ID_(s) (and possibly h″ (m)) by S asAWD1. The signatory E_(s) composes the token J in step 40 with the valueμ′ returned by S (J=μ′∥m′∥ ext) , then he signs it in step 41 so as toobtain the proof p stored in step 42 as AWD2. The subsequent operationsare similar to those of FIG. 5, except that during the anonymitywithdrawal, V firstly addresses itself to S to obtain AWD1=(μ, ID_(s)),this allowing the latter to identify E_(s), then to Es to obtain theproof p. The verification 110 can also pertain to the fact that thevalue μ′ found in the signed token does indeed result from the hashingof the random number μ returned by S in the AWD1s.

[0110] In the embodiment of the invention illustrated by FIG. 7, thevalue of variability parameter taken equal to the identity trace is notv but the value of one of the parameters x_(j) associated with the othermembers E_(i) of the group E (j≠s). The index j is then chosenarbitrarily by the signatory E_(s) and appended to the AWD. The variablev then again becomes a random number.

[0111] In step 60, E_(s) draws two random numbers μ and v. The AWDrecorded in step 61 comprise the values of the random number μ and ofthe index j (and possibly a hash h″ (m) of the message m). The value ofthe parameter x_(j) associated with E_(j) is calculated in step 62according to: x_(j)=h (μ∥m), and in step 63, E_(s) draws random valuesof the other x_(i), i.e. for i≠s and i≠j. The ring-signature is thenexecuted as previously in step 5.

[0112] During anonymity withdrawal, E_(s) reads the AWD stored in step64 and addresses them to V. On the basis of these data μ*, j*, theverification 120 allowing anonymity withdrawal consists in testingwhether h(μ*∥m)=x_(j).

[0113] If several signatories agree to sign a message in the name of agroup E to which they belong, it is possible to use the method describedhereinabove, and all its variants, in order to devise a multi-signatureprotocol involving one or more co-signatories in addition to E_(s).

[0114] The multi-signature protocol can run as follows:

[0115] one of the signatories E_(s) summons the other or others toobtain their agreement;

[0116] each co-signatory E_(t) returns his own identity trace determinedby one of the above variants to E_(s) or has it sent back to the latter

[0117] E_(s) determines his own identify trace;

[0118] E_(s) determines the identity trace of each co-signatory E_(t) inplace of the value of the parameter x_(j) which is respectivelyassociated therewith (as in the case of FIG. 7), and his own identitytrace as variable v for executing the ring-signature.

[0119] The anonymity withdrawal can then be partial: certainco-signatories may choose to reveal themselves, others not necessarily.If every one is passed by a third party, the latter can withdraw theanonymity of everyone simultaneously.

[0120]FIG. 8 illustrates an embodiment of the multi-signature, wherethere is a co-signatory E_(t) in addition to the main signatory E_(s)who executes the ring-signature.

[0121] The signatories E_(s), E_(t) confer so as to agree to sign themessage m in common, with E_(s) as main signatory, then they each send atoken request to the trusted server S (steps 300). This request containsthe message m to be signed (or h″ (m) or else the message m signed withthe private key of the sender), as well as the designation s of the mainsignatory. Before returning these requests, S can verify theircompatibility, i.e. that the messages m transmitted with the respectiverequests of the various signatories are indeed the same and that theyall designate the same main signatory. For each signatory, S thenseparately executes steps 200, 201, and 210-213 similar to those of FIG.3 to produce two distinct proofs p_(s), p_(t) whose hashed versionsq_(s)=h(p_(s)) and q_(t)=h(p_(t)) are returned to E_(s) as identitytraces of E_(s) and E_(t), respectively. The main signatory E_(s) thenassigns the identity traces q_(s) and q_(t) to the variables v and x_(t)(step 301), then he randomly draws the values of the other parametersx_(i) (i≠s and i≠t) in step 302 before executing the ring-signature instep 5.

[0122] The proofs p_(s) and p_(t) can then be verified separately orsimultaneously by V at the server S.

[0123] Two multi-signature cases in particular are interesting:

[0124] the signatories use unauthenticated identity traces; this yieldsa “common suggestion box” concept, the signatories wishing to claimtheir collaboration;

[0125] the signatories use authenticated identity traces (for exampleaccording to FIG. 8): a cryptographic trace of a kind of groupdeliberation is thus retained. The ring-signature behaves like acommitment of the signatories who preserve their anonymity. Anonymitycan however be withdrawn if need be.

We claim:
 1. A method of electronic signing a message by an anonymoussignatory belonging to a group of r possible signatories each having anassociated public key and an associated private key in an asymmetriccryptography scheme, r being an integer greater than 1, the methodcomprising the following steps executed in an electronic signaturedevice of the anonymous signatory: obtaining at least r values ofvariability parameters including the values of r-1 variabilityparameters respectively associated with the other possible signatoriesof the group and at least one additional parameter value; encipheringthe values of the r-1 variability parameters associated with the otherpossible signatories of the group, by means of the respective publickeys of said other possible signatories, thereby producing r-1enciphered values respectively associated with the other possiblesignatories of the group; determining a complementary value whichsatisfies a ring equation whose variables are the message to be signed,each of the r-1 enciphered values associated with the other possiblesignatories of the group, each additional parameter value and saidcomplementary value; deciphering the complementary value determined, bymeans of the private key of the anonymous signatory, thereby producingthe value of a variability parameter associated with the anonymoussignatory; and delivering an electronic signature of the messagecomprising the respective public keys of the r possible signatories ofthe group, the values of the variability parameters respectivelyassociated with the r possible signatories of the group and eachadditional parameter value, wherein at least one of the r variabilityparameter values is an identity trace of the anonymous signatory,determined as a function of anonymity withdrawal data stored and keptsecret by at least one anonymity withdrawal entity in relation with anidentification of the anonymous signatory.
 2. The method as claimed inclaim 1, wherein the anonymous signatory constitutes the anonymitywithdrawal entity.
 3. The method as claimed in claim 2, furthercomprising the following steps executed in the electronic signaturedevice of the anonymous signatory: drawing a random value; and storingand keeping secret at least said random value as anonymity withdrawaldata.
 4. The method as claimed in claim 1, further comprising the stepsof: authenticating the anonymous signatory at the anonymity withdrawalentity; drawing a random value at the anonymity withdrawal entity;storing and keeping secret at least said random value and anidentification of the anonymous signatory as anonymity withdrawal dataat the anonymity withdrawal entity; transmitting from the anonymitywithdrawal entity to the electronic signature device of the anonymoussignatory an intermediate value obtained by cryptographic hashing ofsaid random value; and generating the identity trace of the anonymoussignatory at the device of the anonymous signatory as a function of theintermediate value received from the anonymity withdrawal entity.
 5. Themethod as claimed in claim 4, wherein the identity trace of theanonymous signatory is generated by hashing a concatenation of elementscomprising at least the intermediate value received from the anonymitywithdrawal entity and part at least of the message to be signed.
 6. Themethod as claimed in claim 5, wherein the concatenated elements furthercomprise a timestamping token.
 7. The method as claimed in claim 5,wherein said part of the message to be signed is obtained by theelectronic signature device of the anonymous signatory by cryptographichashing of said message to be signed, and transmitted to the server forthe composition of the token to be signed.
 8. The method as claimed inclaim 1, further comprising the steps of: generating a proof signed bymeans of a private key and depending on an identification of theanonymous signatory and on the message to be signed; storing and keepingsecret at least said proof as anonymity withdrawal data at the anonymitywithdrawal entity; and generating the identity trace of the anonymoussignatory by cryptographic hashing of data including said proof.
 9. Themethod as claimed in claim 8, further comprising the following stepsexecuted in a server supervised by a third party: authenticating theanonymous signatory; drawing a random value; and composing a token to besigned by concatenating elements comprising at least said random value,at least a part, received from the anonymous signatory, of the messageto be signed, and the identification of the anonymous signatory, andwherein said proof is produced by signing the token to be signed. 10.The method as claimed in claim 9, wherein the concatenated elementsfurther comprise a timestamping token.
 11. The method as claimed inclaim 9, wherein said part of the message to be signed is obtained bythe electronic signature device of the anonymous signatory bycryptographic hashing of said message to be signed, and transmitted tothe server for the composition of the token to be signed.
 12. The methodas claimed in claim 9, wherein the anonymity withdrawal entity includesthe server supervised by the third party, and wherein the proof issigned by means of a private key of the third party.
 13. The method asclaimed in claim 8, further comprising the steps of: signing the messageby means of the private key of the anonymous signatory and transmittingthe message thus signed to a server supervised by a third party;authenticating the anonymous signatory at the server and verifying thesignature of the message by means of the public key of the anonymoussignatory; drawing a random value at the server; and composing a tokento be signed at the server by concatenating elements comprising at leastsaid random value, at least part of the message signed by means of theprivate key of the anonymous signatory and the identification of theanonymous signatory, and wherein said proof is produced by signing thetoken to be signed.
 14. The method as claimed in claim 13, wherein theconcatenated elements further comprise a timestamping token.
 15. Themethod as claimed in claim 13, wherein the anonymity withdrawal entityincludes the server supervised by the third party, and wherein the proofis signed by means of a private key of the third party.
 16. The methodas claimed in claim 8, wherein the anonymity withdrawal entity includesthe anonymous signatory, and wherein the proof is signed by means of theprivate key of the anonymous signatory.
 17. The method as claimed inclaim 16, further comprising the following steps executed in theelectronic signature device of the anonymous signatory: drawing a randomvalue; composing a token to be signed by concatenating elementscomprising at least said random value and at least part of the messageto be signed; and signing the token to produce said proof.
 18. Themethod as claimed in claim 17, wherein the concatenated elements furthercomprise a timestamping token.
 19. The method as claimed in claim 17,wherein said part of the message to be signed is obtained by theelectronic signature device of the anonymous signatory by cryptographichashing of said message to be signed, and transmitted to the server forthe composition of the token to be signed.
 20. The method as claimed inclaim 16, wherein the anonymity withdrawal entity further includes aserver supervised by a third party.
 21. The method as claimed in claim20, further comprising the steps of: authenticating the anonymoussignatory at the server; drawing a random value at the server; storingand keeping secret at least said random value and an identification ofthe anonymous signatory as first anonymity withdrawal data at theserver; transmitting from the server to the electronic signature deviceof the anonymous signatory an intermediate value obtained bycryptographic hashing of said random value; composing a token to besigned by concatenating elements comprising at least said intermediatevalue and at least part of the message to be signed; signing the tokenat the device of the anonymous signatory to produce said proof; andstoring and keeping secret at least said proof as second anonymitywithdrawal data at the device of the anonymous signatory.
 22. The methodas claimed in claim 20, wherein the concatenated elements furthercomprise a timestamping token.
 23. The method as claimed in claim 20,wherein said part of the message to be signed is obtained by theelectronic signature device of the anonymous signatory by cryptographichashing of said message to be signed, and transmitted to the server forthe composition of the token to be signed.
 24. The method as claimed inclaim 1, wherein the anonymity withdrawal data are stored in relationwith a reference obtained by cryptographic hashing of at least themessage to be signed.
 25. The method as claimed in claim 1, wherein theidentity trace of the anonymous signatory is obtained by cryptographichashing of a concatenation of the anonymity withdrawal data and of atleast part of the message to be signed.
 26. The method as claimed inclaim 1, wherein the identity trace of the anonymous signatory isdistinct from the values of the r-1 variability parameters associatedwith the other possible signatories of the group.
 27. The method asclaimed in claim 1, wherein the identity trace of the anonymoussignatory comprises at least one value selected from the r-1 variabilityparameters associated with the other possible signatories of the groupand wherein the anonymity withdrawal data include a tag of the selectedvalue.
 28. The method as claimed in claim 1, wherein the electronicsignature device of the anonymous signatory receives an identity traceof at least one co-signatory distinct from the anonymous signatory andbelonging to the group of possible signatories, said identity tracebeing generated by means of complementary anonymity withdrawal datarespectively stored and kept secret for said co-signatory, and whereinthe electronic signature device of the anonymous signatory uses saididentity trace of the co-signatory as a value of the variabilityparameter associated with said co-signatory.
 29. The method as claimedin claim 28, wherein each co-signatory turns to a server supervised by athird party for the production of the complementary anonymity withdrawaldata, the identity trace of each co-signatory being received by theelectronic signature device of the anonymous signatory from said server.30. An electronic signature device for signing messages by an anonymoussignatory belonging to a group of r possible signatories each having anassociated public key and an associated private key in an asymmetriccryptography scheme, r being an integer greater than 1, the electronicsignature device comprising: means for obtaining at least r values ofvariability parameters including the values of r-1 variabilityparameters respectively associated with the other possible signatoriesof the group and at least one additional parameter value; means forenciphering the values of the r-1 variability parameters associated withthe other possible signatories of the group, by means of the respectivepublic keys of said other possible signatories, thereby producing r-1enciphered values respectively associated with the other possiblesignatories of the group; means for determining a complementary valuewhich satisfies a ring equation whose variables are the message to besigned, each of the r-1 enciphered values associated with the otherpossible signatories of the group, each additional parameter value andsaid complementary value; means for deciphering the complementary valuedetermined, by means of the private key of the anonymous signatory,thereby producing the value of a variability parameter associated withthe anonymous signatory; and means for delivering an electronicsignature of the message comprising the respective public keys of the rpossible signatories of the group, the values of the variabilityparameters respectively associated with the r possible signatories ofthe group and each additional parameter value, wherein at least one ofthe r variability parameter values is an identity trace of the anonymoussignatory, determined as a function of anonymity withdrawal data storedand kept secret by at least one anonymity withdrawal entity in relationwith an identification of the anonymous signatory.
 31. A computerprogram product to be installed in an electronic signature device forelectronic signing messages by an anonymous signatory belonging to agroup of r possible signatories each having an associated public key andan associated private key in an asymmetric cryptography scheme, r beingan integer greater than 1, comprising instructions for implementing thefollowing steps when executed by processing means of said signaturedevice: obtaining at least r values of variability parameters includingthe values of r-1 variability parameters respectively associated withthe other possible signatories of the group and at least one additionalparameter value, wherein at least one of the r variability parametervalues is an identity trace of the anonymous signatory, determined as afunction of anonymity withdrawal data stored and kept secret by at leastone anonymity withdrawal entity in relation with an identification ofthe anonymous signatory; enciphering the values of the r-1 variabilityparameters associated with the other possible signatories of the group,by means of the respective public keys of said other possiblesignatories, thereby producing r-1 enciphered values respectivelyassociated with the other possible signatories of the group; determininga complementary value which satisfies a ring equation whose variablesare the message to be signed, each of the r-1 enciphered valuesassociated with the other possible signatories of the group, eachadditional parameter value and said complementary value; deciphering thecomplementary value determined, by means of the private key of theanonymous signatory, thereby producing the value of a variabilityparameter associated with the anonymous signatory; and delivering anelectronic signature of the message comprising the respective publickeys of the r possible signatories of the group, the values of thevariability parameters respectively associated with the r possiblesignatories of the group and each additional parameter value.
 32. Amethod for withdrawing anonymity of the anonymous signatory of anelectronically signed message, wherein the anonymous signatory belongsto a group of r possible signatories each having an associated publickey and an associated private key in an asymmetric cryptography scheme,r being an integer greater than 1, wherein the electronic signature ofsaid message is generated in a process comprising the following stepsexecuted in an electronic signature device of the anonymous signatory:obtaining at least r values of variability parameters including thevalues of r-1 variability parameters respectively associated with theother possible signatories of the group and at least one additionalparameter value, wherein at least one of the r variability parametervalues is an identity trace of the anonymous signatory, determined as afunction of anonymity withdrawal data stored and kept secret by at leastone anonymity withdrawal entity in relation with an identification ofthe anonymous signatory; enciphering the values of the r-1 variabilityparameters associated with the other possible signatories of the group,by means of the respective public keys of said other possiblesignatories, thereby producing r-1 enciphered values respectivelyassociated with the other possible signatories of the group; determininga complementary value which satisfies a ring equation whose variablesare the message to be signed, each of the r-1 enciphered valuesassociated with the other possible signatories of the group, eachadditional parameter value and said complementary value; deciphering thecomplementary value determined, by means of the private key of theanonymous signatory, thereby producing the value of a variabilityparameter associated with the anonymous signatory; and delivering anelectronic signature of the message comprising the respective publickeys of the r possible signatories of the group, the values of thevariability parameters respectively associated with the r possiblesignatories of the group and each additional parameter value, the methodfor withdrawing anonymity comprising the steps of: verifying theelectronic signature of the message, by extracting from the electronicsignature of the message the respective public keys of the r possiblesignatories of the group, the values of the variability parametersrespectively associated with the r possible signatories of the group andeach additional parameter value, by obtaining r enciphered values byenciphering the values of the variability parameters associated with ther possible signatories of the group by means of their respective publickeys, and by making sure that the message, the r enciphered values andeach additional value together satisfy the ring equation; recovering theanonymity withdrawal data stored by the anonymity withdrawal entity inrelation with the identification of the anonymous signatory;recalculating the identity trace of the anonymous signatory as afunction of the anonymity withdrawal data recovered; and verifying thatthe recalculated identity trace corresponds to the identity traceincluded in the r values of variability parameters forming part of theelectronic signature of the message.
 33. A computer device forwithdrawing anonymity of at least one anonymous signatory of anelectronically signed message, wherein the anonymous signatory belongsto a group of r possible signatories each having an associated publickey and an associated private key in an asymmetric cryptography scheme,r being an integer greater than 1, wherein the electronic signature ofsaid message is generated in a process comprising the following stepsexecuted in an electronic signature device of the anonymous signatory:obtaining at least r values of variability parameters including thevalues of r-1 variability parameters respectively associated with theother possible signatories of the group and at least one additionalparameter value, wherein at least one of the r variability parametervalues is an identity trace of the anonymous signatory, determined as afunction of anonymity withdrawal data stored and kept secret by at leastone anonymity withdrawal entity in relation with an identification ofthe anonymous signatory; enciphering the values of the r-1 variabilityparameters associated with the other possible signatories of the group,by means of the respective public keys of said other possiblesignatories, thereby producing r-1 enciphered values respectivelyassociated with the other possible signatories of the group; determininga complementary value which satisfies a ring equation whose variablesare the message to be signed, each of the r-1 enciphered valuesassociated with the other possible signatories of the group, eachadditional parameter value and said complementary value; deciphering thecomplementary value determined, by means of the private key of theanonymous signatory, thereby producing the value of a variabilityparameter associated with the anonymous signatory; and delivering anelectronic signature of the message comprising the respective publickeys of the r possible signatories of the group, the values of thevariability parameters respectively associated with the r possiblesignatories of the group and each additional parameter value, saidcomputer device comprising: means for verifying the electronic signatureof the message, by extracting from the electronic signature of themessage the respective public keys of the r possible signatories of thegroup, the values of the variability parameters respectively associatedwith the r possible signatories of the group and each additionalparameter value, by obtaining r enciphered values by enciphering thevalues of the variability parameters associated with the r possiblesignatories of the group by means of their respective public keys, andby making sure that the message, the r enciphered values and eachadditional value together satisfy the ring equation; means forrecovering the anonymity withdrawal data stored by the anonymitywithdrawal entity in relation with the identification of the anonymoussignatory; means for recalculating the identity trace of the anonymoussignatory as a function of the anonymity withdrawal data recovered; andmeans for verifying that the recalculated identity trace corresponds tothe identity trace included in the r values of variability parametersforming part of the electronic signature of the message.
 34. A computerprogram product to be installed in a computer device for withdrawinganonymity of at least one anonymous signatory of an electronicallysigned message, wherein the anonymous signatory belongs to a group of rpossible signatories each having an associated public key and anassociated private key in an asymmetric cryptography scheme, r being aninteger greater than 1, wherein the electronic signature of said messageis generated in a process comprising the following steps executed in anelectronic signature device of the anonymous signatory: obtaining atleast r values of variability parameters including the values of r-lvariability parameters respectively associated with the other possiblesignatories of the group and at least one additional parameter value,wherein at least one of the r variability parameter values is anidentity trace of the anonymous signatory, determined as a function ofanonymity withdrawal data stored and kept secret by at least oneanonymity withdrawal entity in relation with an identification of theanonymous signatory; enciphering the values of the r-1 variabilityparameters associated with the other possible signatories of the group,by means of the respective public keys of said other possiblesignatories, thereby producing r-1 enciphered values respectivelyassociated with the other possible signatories of the group; determininga complementary value which satisfies a ring equation whose variablesare the message to be signed, each of the r-i enciphered valuesassociated with the other possible signatories of the group, eachadditional parameter value and said complementary value; deciphering thecomplementary value determined, by means of the private key of theanonymous signatory, thereby producing the value of a variabilityparameter associated with the anonymous signatory; and delivering anelectronic signature of the message comprising the respective publickeys of the r possible signatories of the group, the values of thevariability parameters respectively associated with the r possiblesignatories of the group and each additional parameter value, thecomputer program product comprising instructions for implementing thefollowing steps when executed by processing means of said computerdevice: verifying the electronic signature of the message, by extractingfrom the electronic signature of the message the respective public keysof the r possible signatories of the group, the values of thevariability parameters respectively associated with the r possiblesignatories of the group and each additional parameter value, byobtaining r enciphered values by enciphering the values of thevariability parameters associated with the r possible signatories of thegroup by means of their respective public keys, and by making sure thatthe message, the r enciphered values and each additional value togethersatisfy the ring equation; recovering the anonymity withdrawal datastored by the anonymity withdrawal entity in relation with theidentification of the anonymous signatory; recalculating the identitytrace of the anonymous signatory as a function of the anonymitywithdrawal data recovered; and verifying that the recalculated identitytrace corresponds to the identity trace included in the r values ofvariability parameters forming part of the electronic signature of themessage.